Containers: An Emerging Cloud Technology

Asad Javed Aalto University Department of Computer Science

Abstract—Linux containers, commonly known as LXC, has system becomes more efficient in terms of processing, and become a popular approach for creating virtual environment applications run in an isolated form irrespective of the other inside a large computer system. It is a lightweight applications [7] [8]. infrastructure, which creates multiple virtual Linux systems simultaneously on a single host machine. Linux kernel features The rest of the paper is organized as follows. Section II are used to provide isolated environment for applications within describes the difference between traditional -based multiple systems. The main goal of LXC is to create environment virtualization and LXC approach. Section III presents kernel as close as possible to the standard Linux system, thus providing features which are used by containers in order to provide scalable and performance efficient systems, thereby considering isolation and scalability. An application of LXC named as an emerging cloud technology. along with its usage will be illustrated in Section IV. Finally, This paper presents a thorough survey about LXC along with the paper ends with a conclusion in Section V. In addition, a two well-known and important kernel features including separate document has been provided [16] which demonstrates namespaces and . In this paper, the comparison between LXC and how to use them with proper commands. container-based and hypervisor-based virtualization is also been made in order to completely understand this phenomenon. At the end, Docker platform is explained which is an open source II. COMPARISON BETWEEN HYPERVISOR AND CONTAINERS project and a running application of Linux containers. Despite the fact that virtualization offers huge amount of benefits, there is still a difference between hypervisor-based Keywords—linux, namespaces, kernel, cloud, cgroups, docker and container-based virtualization, where the latter one provides greater efficiency [8] [9]. The comparison is shown in I. INTRODUCTION Fig. 1. In recent years, virtualization has become very popular in large distributed systems, since the need of making the whole App App App App system efficient become evident. With the advent of distributed systems and cloud computing, there happens to be a virtualized Binaries/ Binaries/ Libraries Libraries environment in almost every data centers. Due to this emergence, there are many software solutions such as VMware Guest OS Guest OS [1] which provides cloud and software services, [2] that provides services based on a microkernel design, Kernel Virtual Machine Virtual Machine (KVM) [3] that also provides full virtualization, and Hyper-V [4] which is specifically for Hypervisor windows server. These solutions are known as hypervisor- based virtualization and also considered efficient as they have Host many features. Some of the features includes portability, easier backups, isolation, security, and migration to cloud [5]. Due to Server large number of benefits, virtualization can also be considered as a foundation of cloud technology. (a) Hypervisor based virtualization

Although, virtualization provides efficiency and scalability but there is also a resource overhead when it comes to App App App App traditional virtualization. At that point, Linux container-based virtualization (LXC) come into practice. This approach has a Binaries/ Binaries/ different context as compared to hypervisor. It is the operating Libraries Libraries system level virtualization, unlike hypervisor which is a Container Container hardware-level virtualization, and creates multiple system on a single host. Conceptually, it can be considered as a lightweight Host Operating System virtualization because applications run in a separate container that shares the resources of the host operating system [5] [6]. Server The whole execution environment such as libraries, file system, scripts, application, and operating system are put in a container (b) Linux containers and then executed over a single host. Through that way, the Fig.1. Hypervisor vs Linux containers According to Fig. 1(a), it can be seen that there is a separate III. KERNEL FEATURES layer of hypervisor running on top of a host operating system. In order to provide more isolation in container-based This layer consists of a virtual machine monitor that provides virtualization, there are six kernel features which LXC can use. full abstraction of virtual machines, which then act as a guest These are: namespaces, cgroups, SELinux profiles, OS. In that case, all created VMs are isolated from each other policies, chroots, and kernel capabilities [6]. Two of them are and act as a separate OS on top of the physical host. Due to this the most important features which are discussed below. hypervisor, every VM has its own kernel which makes the application more expensive. Moreover, all the binaries and A. Namespaces libraries are also created along with a kernel, which is of course a great overhead in terms of resource allocation [7] [9]. Unlike The main purpose of using namespaces is to provide per any hypervisor-based system, there is another lightweight isolation within containers, and wraps a global system virtualization based on Linux containers. LXC removes that resource in an abstraction. It ensures that the processes are overhead and provide a full-fledge OS in the form of assigned to same namespace and run in only that space without containers. It can be seen from Fig. 1(b). The kernel of host OS interfering with other processes. It also ensures isolation within is shared between all containers, thus able to run many containers and guarantees that the containers only sees their processes in an isolated fashion [7] [8]. own environment. Currently, there are six namespaces inside Linux implementation, which are described below [11] [12]. There are many benefits of using container based virtualization which distinguishes it from the traditional a) Mount namespaces (mnt): It allows the processes to hypervisor based virtualization [10]. Some of the benefits are have different view of the filesystem mount points. The described below: processes which are in separate mount namspaces have their own filesystem layout different than the other processes. Thus A. Portability providing the isolation to the set of filesystems. Since LXC are portable so it can be run in any environment without changing the functionality. The applications running in b) UTS namespaces (uts): This namespace feature allows a container can also be bundled together in a single unit and conatiners to have their own hostnames. It isolates two types then deployed and separated into another environment. of system identifiers; nodename and domainname, which are separate for every conatiner. B. Scalibility LXC can run on any Linux system and then scale up from ) PID namespaces (pid): It allows the processes to have one to hundred and then scale it down. Another interesting different IDs by assigning different processing identifiers. factor is the deployment from physical system into the cloud Thus providing isolation on a number space. The processes and then back to the system again. Thus, containers can be which are in a different namespaces can have same IDs but easily suited for a public cloud platforms with scale out hidden from each other. Process which is in parent namespace applications. can still see other process in the child namespace.

C. Isolation d) IPC namespaces (ipc): This namespace offers isolation It provides a complete isolation between the processes of the inter-process communication resources (such as POSIX running in a container. It also provides isolation within message queues and System V IPC objects) between multiple containers. For that, it uses two separate kernel namespaces. features namespaces and cgroups which will be discussed in section 3. e) User namespaces (user): It allows processes to have different user and group IDs. Thus providing isolation outside D. Flexibilty and inside a user namespace. As there is no overhead while creating containers, so it has a flexibility to share multiple resources of the host operating f) Network namespaces (net): It provides isolation of system between different guests. Moreover, building, networking resources and each container has its own network developing, and deploying new containers are easy, which in devices. Thus, each network space contains separate routing turn reduces time and providing good visibility. tables, iptables firewalls, and network interface controllers.

Apart from all the benefits, there are two features which are B. Cgroups (Control groups) still better in hypervisor based machines. These are security Control groups, known by cgroups, is the main kernel and isolation. provides more security as compared feature that allows the processes to limit and isolate resource to containers because it has attack barriers functionality [5]. usage such as CPU time, system memory, disk bandwidth, For isolation, the container-based virtualization is supposed to network bandwidth, and monitoring. LXC uses these sub- have a weaker isolation, as it works on OS-level and shares resources of cgroups to assign different features within separate most of the resources of host operating system. However, from containers. The features usage is demonstrated in section 8 of the user’s perspective, container-based virtualization looks like HOWTO document provided in [16]. Moreover, LXC allocates a stand-alone system with all the resources required for its these resources by dividing the application into multiple functionality [7]. Moreover, containers are very easy to setup groups. Then the profile, based on these resources, are assigned and use as compared to hypervisors. Its usage is demonstrated to each group. After that, the processes which are specific to in a separate HOWTO document in [16]. that profile runs on a dedicated group. This provides isolation within the group and there is no interfering between multiple  Then it interacts with the Linux kernel through libcontainer groups. Furthermore, after creating groups, there is a way to library in order to access features. monitor these groups along with denying or assigning further resources. It is also possible to reconfigure specific group  Finally, it would create the container from image and dynamically on a running system. By creating the groups and resource features. assigning processes to it, hardware resource can be appropriately divided, thereby, increasing overall performance. V. CONCLUSION [12] [13]. In this paper, Linux containers (LXC) has been discussed along with the comparison between container-based and hypervisor IV. DOCKER AS A RUNNING APPLICATION based virtualization. The benefits of LXC are also illustrated Docker is an open-source distributed system platform based which showed the importance of containers. Two important on LXC. By using the Linux resource features, cgroups and kernel features, namespaces and cgroups are also presented. namespaces, it allows the independent containers to run within These features are used to provide more isolation inside the a Linux system. The main functionality of Docker is to allow container in order to make system as efficient as possible. faster deployment of applications inside containers, thus Namespaces provides per process based isolation solution, providing isolation and additional layer of abstraction. There while cgroups provide resource management solution in terms are two major components of Docker; Docker Engine which of dividing processes into groups. After that Docker platform is manages and runs applications and Docker Hub Registry which illustrated which is a running application of LXC and uses all manages and shares applications in cloud [14] [15]. Its the functionality of Linux containers. architecture along with all the components are shown in Fig. 2.

REFERENCES [1] VMware, 2015 [Online]. url: http://www.vmware.com/ [2] Xen Project, 2013 [Online]. url: http://www.xenproject.org/ Registry [3] Kernel Virtual Machine, 2015 [Online]. url: http://www.linuxkvm.org/page/Main_Page [4] Windows Server, Hyper-V, 2015 [Online]. url: https://technet.microsoft.com/enus/windowsserver/dd448604.aspx app Docker [5] Technical white paper, “Linux container technology”, HP, 2015. lib/ Client [6] Linux Containers, [Online]. url: https://linuxcontainers.org/ bin [7] M. G. Xavier, M. V. Neves, F. D. Rossi, and T. C. Ferreto, “Performance Evaluation of Container-based Virtualization for High Performance Computing Environments,” 21st Euromicro International Conference, pp. 233 - 240, 2013. DOI: 10.1109/PDP.2013.41 Operating System libcontainer Docker [8] White paper, “Linux Containers Streamline Virtualization and Daemon Server Complement Hypervisor-Based Virtual Machines,” Intel, 2014. [9] R. Morabito, J. Kjallman, and M. Komu, “Hypervisors vs. Lightweight

Virtualization: A Performance Comparison,” IEEE International Fig. 2: Docker’s architecture Conference on Cloud Engineering (IC2E), pp. 386 - 393, March 2015. DOI: 10.1109/IC2E.2015.74 Docker uses the client-server architecture. As can be seen [10] A. M. Joy, “Performance Comparison Between Linux Containers and Virtual Machines,” International Conference on Advances in Computer from Fig. 2 that there are four parts in the architecture; Docker Engineering and Applications (ICACEA), pp. 342 - 346, March 2015. daemon, client, libcontainer, and registry. Docker daemon runs DOI: 10.1109/ICACEA.2015.7164727 on a host OS and listens the requests from users/clients. The [11] Namespaces in operation, part 1: namespaces overview, 2013 [Online] user does not directly communicate with the daemon but uses url: https://lwn.net/Articles/531114/ Docker client to interact with the daemon. This client would [12] Resource management: Linux kernel Namespaces and cgroups, 2013 either be a command line utility or some API. The dotted line [Online] url: http://www.haifux.org/lectures/299/netLec7.pdf shows the separation between client and server side. The third [13] J. Mehnert, M. Schottner, and C. Morin, “Checkpointing Process Groups part libcontainer is a library used to interact with the Linux OS in a Grid Environment,” Ninth International Conference on Parallel and kernel for accessing kernel features, such as cgroups and Distributed Computing, Applications and Technologies, pp. 243 - 251, December 2008. DOI: 10.1109/PDCAT.2008.14 namespaces. Finally, the fourth part is registry which present in a cloud and contains the images of the containers. [14] Docker, 2015 [Online]. url: http://docs.docker.com/ [15] Di Liu and Libin Zhao, “The Research and Implementation of Cloud In order to create containers using Docker platform, the Computing Platform Based on Docker,” 11th International Conference components interact with each other as follows: on Wavelet Active Media Technology and Information Processing, pp. 475 - 478, December 2014. DOI: 10.1109/ICCWAMTIP.2014.7073453  The user tells a Docker daemon through Docker client to [16] Asad Javed, “How to use Linux Containers (LXC)”, A separate create a container using particular image file. HOWTO document.

 The daemon then download that image from registry cloud and store in a server.